DOD takes aim at info assurance architecture

Last year alone, the department successfully blocked 50,000 attempts to gain root-level access to its systems. 'Defense's Robert Lentz

The Defense Department is building an end-to-end information assurance architecture to layer cybersecurity into its IT infrastructure.

DOD is developing the ambitious IA architecture as it builds the infrastructure for the Global Information Grid.

The security framework will be integrated with GIG, an effort to connect military systems around the world. The effort is a sprawling one: Defense has roughly 3 million computers, 100,000 LANs and 100 long-distance networks all being woven into GIG.

Although the systems security architecture must take into account GIG's far-flung components, its need becomes apparent if one considers the continued aggression aimed at DOD systems, said Robert Lentz, director of information assurance at DOD.

Last year alone, the department successfully blocked 50,000 attempts to gain root-level access to its systems, he said last month in testimony before the House Armed Services Subcommittee on Terrorism, Unconventional Threats and Capabilities.

But a chief hurdle that DOD faces in trying to secure its systems lies in the department's use of antiquated IT, Lentz said.

'When I go and visit the combatant commanders and see them using very aged computer systems, it's very troubling because you can't overlay IA on a very aged technology,' he said.For example, Microsoft Windows 95 cannot support public-key infrastructure technology, Lentz said.

'It just won't work effectively. You need IT modernization to do that,' he added. 'You have to have a modern IT system at the application level.'

An IA directive issued in October and additional instructions released in March offer a general framework for achieving integrated, layered protection for DOD systems and networks, he said.Much needs to be done to handle growing cyberthreats. And the situation is exacerbated by the department's increased use of commercial technologies, Lentz said.

Some initial work on the information assurance architecture is scheduled to be completed this month, said Glenda Turner, who works on IA policy and integration issues in Lentz's office. The National Security Agency is leading development of the architecture within DOD.

'This is part of the department's larger transformation effort. It is aimed at helping achieve the vision of GIG,' Turner said.

Security gaps

Robert F. Dacey, director of the IT team for the General Accounting Office, said DOD has made progress in securing its systems, but said the department still lacks an effective information security management program.

In testimony before the Armed Services subcommittee, Dacey said that as Defense relies more on information networks for a variety of functions, from conducting business to launching missiles, cyberterrorism is a growing concern.

'Although DOD has undertaken its Defense-wide information assurance program to promote integrated, comprehensive and consistent practices across the department. ... It does not have mechanisms in place for comprehensively measuring compliance with federal and Defense information security policies and ensuring that those policies are consistently practiced throughout DOD,' Dacey said.

Rep. Jim Saxton (R-N.J.), chairman of the subcommittee, agreed. 'While programmers and software developers build more advanced systems to run more tasks, criminals become more creative in their methods to break into these systems,' Saxton said.

The problem is complicated by the fact that 'DOD systems have grown up in a fragmented way. None of the services has a single system,' Saxton added.